Accepting card payments in the EU should be straightforward. However, as many merchants have already realized, accepting any type of payment online comes with a suitcase full of dense regulation, shifting requirements, and for merchants who get it wrong, a real financial risk.
Although more local and alternative payment methods are breaking through cards are still the primary payment method. Many see the VISA and Mastercard logo and feel reassured about handing over their hard-earned cash. However, there is a downside for the merchant, as accepting cards online comes with compliance obligations, fraud exposure, and avoidable costs.
To help those small and mid-sized merchants who don’t have the resources to spend on payment experts this article breaks down how card processing works in the EU, the regulatory demands on the merchant, and how the right payment partner (that’s DIMOCO in case your curious) makes card processing and all of its baggage a foundation for growth.
Who’s involved in the card payment process
Every card transaction follows a basic four-party model. Once you understand it, you can see where the costs come from, where the risk lies, and how your payment provider is earning its money.
- The cardholder – your customer.
- The issuing bank – the bank that issued your customer’s card, authorizes the transaction.
- The card scheme – such as Visa and Mastercard. The scheme sets the rules and charges fees for using its network.
- The acquiring bank – your payment processor, receives the transaction request, routes it through the scheme to the issuer, and settles funds into your account.
Payment flow in action
- The customer makes a purchase with their card
- The Merchant sends the details to their Acquirer for authentication
- The Acquirer asks the card scheme for approval from the customer's bank (the Issuer)
- The Issuer approves payment to the scheme
- The money flows from the issuer to the Merchant's bank
This whole process, authorization, authentication, and settlement, happens in seconds. You, as the merchant, pay for all of this via your Merchant Service Charge (MSC). This fee bundles together three components: interchange (paid to the issuing bank), scheme fees (paid to card networks such as Visa and Mastercard), and the acquirer margin (your processor’s fee for making it all happen). This is the simplest flow, but it may differ slightly depending on your payment set-up. You may have additional costs if you are working with a payfac, ISO, or orchestration platform. However, all of this should be added together into one fee, the MSC.
The EU regulatory framework
EU payment regulation affects every merchant that accepts cards. For simplicities sake and to make sure you keep reading, we will look at the three most relevant frameworks.
PSD2 and Strong Customer Authentication: what merchants need to know
PSD2 is the EU’s revised Payment Services Directive. Its most significant requirement for merchants is Strong Customer Authentication (SCA). SCA requires electronic card payments to be verified using at least two independent factors. This is normally something the customer knows (a password or PIN) and something they have (a mobile device).
In practice, SCA is implemented via 3D Secure 2 (3DS2), the current authentication protocol supported by Visa (Visa Secure) and Mastercard (Identity Check). When triggered, 3DS2 presents a challenge, this is most often a push notification to the customer’s banking app, before the payment is authorized.
How SCA impacts conversion
Every authentication challenge is a point of friction that can trigger the customer to jump ship and abandon their cart. For merchants processing high volumes of transactions, badly configured SCA can directly reduce revenue. Exemption logic – knowing when to challenge is one of the most valuable things a payment partner can do for you. Find out more here.
PSD2 includes several SCA exemptions that, when applied correctly, allow transactions to proceed without a challenge:
- Low-value transactions – payments under €30 are exempt, up to a cumulative limit per card.
- Transaction Risk Analysis – acquirers with low fraud rates can exempt transactions below certain value thresholds without triggering authentication.
- Recurring transactions – after initial authentication, subsequent charges with the same amount can be processed challenge free.
- Merchant-initiated transactions – for subscription billing where the merchant initiates the charge, not the cardholder in real time.
Setting up exemptions requires technical implementation. Working with a payment partner with strong fraud tooling and a good understanding of your business and its unique needs can help you unlock exemptions and boost conversion rates.
The Interchange Fee Regulation (IFR)
The IFR caps interchange fees on consumer cards at 0.2% for debit and 0.3% for credit. For most eCommerce merchants, the majority of customer payments fall under these caps.
However, corporate and commercial cards are excluded from IFR caps and can carry an interchange fee of 1.5% or more. If you have a large proportion of business customers paying by company card, your card costs will be higher than the headline IFR rates suggest.
This is why transparent IC+ pricing from your acquirer is important as blended rates would hide this.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard. It is contractually required by card schemes for all merchants. It defines how cardholder data must be stored, transmitted, and processed.
The practical goal is to reduce PCI DSS scope as much as possible. The most effective way to do this is tokenization: rather than storing card numbers, you store a token that references the card in your payment provider’s vault. If your systems are breached, there is no cardholder data to steal.
How DIMOCO supports PCI DSS compliance
We are PCI DSS Level 1 certified. This means all card data is tokenized at point of entry and never touches your servers, which removes the most demanding PCI requirements from your compliance scope.
EU card payment compliance in a nutshell
Below is a summary of the main regulatory requirements affecting card payments in the EU, what they mean for merchants, and how they can be addressed in practice with the right payment partner, such as DIMOCO.
| Requirement | What it means for you | How we help |
|---|---|---|
| PSD2 / SCA | Two-factor authentication required on card transactions | Built-in 3DS2, fraud controls, and smart exemption logic to maintain authorization and conversion rates |
| PCI DSS | Cardholder data must be handled to strict security standards | PCI DSS Level 1 infrastructure with full tokenization, reducing your compliance scope |
| GDPR | Payment data is personal data- Storage and processing must be compliant | Payment data is personal data and must be stored and processed in compliance with EU data protection rules |
| IFR (Interchange) | Consumer card interchange is capped at 0.2–0.3%, while commercial cards are not capped | Pricing with full cost visibility. |
Choosing the right payment partner
In the EU accepting payments online is shaped by regulation, such as PSD2 and SCA, which directly impact how payments are processed. However, as a merchant, payment infrastructure is not something you should think about constantly. The right partner handles compliance, absorbs regulatory change, and gives you tools to manage fraud and optimize conversion. The right payment partner handles compliance, keeps pace with regulatory changes, and provides fraud and risk controls to support conversion.
When evaluating payment providers make sure you ask the questions that matter:
- Are they EU licensed?
- Is pricing transparent?
- How do they handle SCA exemptions?
- What does their fraud tooling look like?
- Where is the data stored?
In the end
Card processing in the EU is heavily regulated, which, despite the headaches, is a good thing. It was created to ensure that you and your customers are protected. The PSD2 is a framework that, when implemented correctly, reduces fraud liability and enables smoother checkout.
But… there is always a but, to make sure your payments flow, you need support from a payment provider who thrives on the details and understands, SCA exemption logic, recurring billing rules, marketplace licensing, local scheme support, the list goes on. However, these are not problems that you should be solving from scratch. They are exactly what a payment partner with deep EU expertise is for.
